Here’s what Ashley Madison members have told me
Monday, 24 August 2015
I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable for verified subscribers of Have I been pwned? (HIBP) and now – perhaps unsurprisingly in retrospect – I was being inundated with email. I mean hundreds of emails every day with people asking questions about the data. Not just asking questions, but often giving me their life stories as well.
These stories shed a very interesting light on the incident, one that most people are not privy to and one that doesn’t come across in the sensationalist news stories which have flooded every media outlet in recent days. When sent to me as an unknown third party in a (usually) foreign location, people tended to be especially candid and share stories that really illustrate the human impact of this incident. I thought I’d share some of those here – de-identified of course – to help people understand the real world impact of this incident and ’for those caught up in it to realise that they’re among many others going through the same pain.
I responded to every legitimate email I received. Very early on I wrote up a Q&A and the following is the canned response I sent in response to almost every query:
My apologies for not being able to respond to you personally, I’m addressing questions of this nature via a Q&A you can find here: http://www.troyhunt.com/2015/08/ashley-madison-data-breach-q.html
Here’s what Ashley Madison members have told me:
Lack of support from Avid Life Media
This probably shouldn’t be surprising under the circumstances, but there wasn’t much joy being had from concerned customers who wanted to get in touch with Avid Life about the incident:
I tried to reset the password and call them but they aren’t answering phones or responding to emails
This is one of the things that struck me most about the entire incident – the very poor communication from Avid Life. At the time of writing, there has been no direct communication with members that I’m aware of, no notification on the front page of www.ashleymadison.com and in fact the site still talks about “discreet encounters”, “trusted security” and “100% discreet service”. The way they’ve handled this incident has been appalling – it’s as if they’ve just stuck their fingers in their ears and sung “lalalalalala”. And no, the legal action they’ve taken behind the scenes to track down the perpetrators and issue DMCA takedown requestions does nothing to actually protect the impacted individuals. By now, we should have seen the usual offer of identity protection, admission of guilt and at least something to try and assist those who are having their lives torn apart by this. Instead there’s nothing. Nada.
People aren’t really concerned about their financial information
I found it odd that Avid Life Media felt compelled to issue a statement that solely focussed on no financial data being compromised. Do they really think that after the most intimate, private aspect of people’s lives has been put on public display that a credit card their bank would simply replace if compromised is what they’re worried about?! I had a very small number of requests like this:
How would I find out if any of my credit card info and/or email addresses have been breached? Thank you.
Even then, the requests about cards were thrown in with other queries about the data. Perhaps Avid Life made that statement to appease the PCI folks, but certainly card data is the last thing Ashley Madison members are worried about right now.
Lack of tech savvy
Those of us who live in technology often forget just how foreign it can be to those who don’t. I’ve seen a lot of misunderstanding about fundamental technology concepts which victims of the breach obviously just haven’t grasped:
My question to you is Ashley Madison has not responded to request for a password change. So does that still get me the notification alert from you?
Now this website [redacted] if someone went to them and wanted to get my information & paid for this service. With having my email address. Could people get my information or would I get a notification from you stating that someone is requesting it?
I honestly found it hard to even understand some of these questions as the mechanics of databases and hackers and all sorts of other foreign concepts went over the heads of many people. That’s totally understandable too and it just goes to show how everyday folks have been caught up in this mess.
Tor, BitTorrent and MySQL crash courses
Many people wanted to inspect the data for themselves, but with no knowledge of Tor or how torrents work (let alone the ability to then decipher the contents of MySQL scripts), most were left struggling:
Can I check any of this myself using a Tor browser, which I do not know how to use?
I have downloaded the data but I can’t really make any sense of it, or in fact can’t even open some of it up as its too large
I have downloaded the dumps, but I am not very handy so I’m not finding anything relevant at the moment. I own a Mac and I don’t know how to open them, apart for using the standard txt editor and searching around.
I can totally understand the desire here but this simply isn’t data that’s consumable via your average person. Discovering it via Tor or downloading the torrent isn’t particularly hard, but actually parsing the files and combing through the personal data spread across multiple tables is no simple task. For your average person, setting out to try and do this poses another risk altogether…
Falling victim to malware and other online scams
Following from the previous point, in desperation to find information, some people were resorting to downloading what they thought was the Ashley Madison breach, but evidently was something different altogether:
It seems easy to download the complete list from the pirate site. However the associated applications seem very dodgy
We always see this pattern: a serious international event happens (i.e. the recent Malaysia Airlines crashes) and immediately after we see nefarious individuals attempting to monetise either the pain of victims or the curiosity of onlookers. I’ve seen multiple sites purporting to offer the Ashley Madison breach which just require you to install this one little executable in order to view it…
Requests to search by fields other than email
I had a huge number of requests like this:
Is there a way u could search on my name if I gave to you
Will this data dump be eventually searchable by bill zip code?
I wanted to know if there’s a way I can do a name search.
In some cases, people genuinely didn’t know what email address they’d used. In other cases, I’ll speculate and say that people were wanting to check up on other individuals which, of course, is precisely why I don’t allow a search on HIBP by anything other than a verified email address. Searching by zip code is a perfect example – people don’t want to do this to check their own exposure, they want this feature to discover a range of people.
One of the most frequent requests I got was to provide information on the actual data that had been exposed about the individual:
It’s been so long I genuinely don’t remember if I used a credit card, exchanged messages, what kind of personal information might have been in the profile, etc.
And i don’t know if there is any point in asking you but can you tell me what information about me is in the dump?
I do not remember what was on my profile but am desperate to find out.
I am hoping to find out how much of my data is exposed and to prepare for the worst.
I just found out my husband’s AM account is part of the hack. I want to know what information he put on the site.
Is there any way you can provide me with the info related to this email? At least then I can delete this email account and move on.
Now I am looking to confirm what I believe to be true so I can do damage control when the inevitable takes place. Some key info I want to find are:
– CC Txns (if any at all and corresponding date)
– Last Login
– Number of Logins
– Sign Up Date/Time*
– Cancellation Date/Time*
Is there no way you can tell me what info about me is on here? I’ve tried to locate the data and cannot, I need to know how to prepare for this. Thanks
This is understandable – people want to assess their exposure – but I always declined not just because I simply couldn’t do this for everyone, but because I have absolutely no desire the see personal information of this nature from Ashley Madison and then communicate directly with the impacted individuals about it.
Please erase me from the internet
You can understand the sentiment and for those who don’t get how the web works, this would appear to be an entirely reasonable request:
I wonder if you could offer advice for trying to hide it again, take it off, remove it etc. or can this even be done?
Can i please unsubscribe my email so no one else can search me?
Do you know the reasoning why the company has not been successful in removing the material on Pastebin through the Digital Millenium law?
Could you assist in getting [redacted] off the AM dark web list?
As someone said to me in one of the comments on my blog, trying to remove your data from the web is “like trying to remove pee from a swimming pool”. I added the DMCA comment in there as well because this has come up many times in the press. There’s a good piece on it in an article that emerged after news of the attack first broke last month (paradoxically, stating that DMCA is the reason the full data hadn’t been leaked), do read Parker Higgins’ comment about the “fraudulent” use of the act in terms of its’ use for removing data breaches. Regardless, a US law will in no way stop the mass distribution of this data, particularly via a decentralised mechanism like torrents.
Can I please have the dump?
This was a common request:
Hi, can I get the bulk data dump for Ashley Madison
can I trouble you for the tor page link?
It’s an easy answer – no. At least you can’t have it from me.
Payment records deanonymising members
Some people used non-traceable email addresses when signing up to the service, but then used their real identities in order to make payment:
My main fear is my credit card would be associated with the account at AM.
I used a burner email address but paid once for a full membership. Now it seems my name and address are affiliated with the breach.
My email is private, just for Ashley Madison.
My real concern is, Is there any data which can be used to trace AM to me? For instance, I paid by a personal credit card when I first enrolled. How much trouble am I in?
Please please please delete that comment! It regards if cougarlife was hacked?! I dont know how to delete it… I think i accidentally logged into fb while posting when i thought u could be anonymous
That last one was from someone who commented on this blog using only a very common first name not linked to a profile but clearly the whole saga got them very worried about their own operational security. Obviously some members were conscious of protecting their identity in terms of hiding their membership, but didn’t think through the digital footprints they leave by making online payments. Whilst the payment files don’t explicitly reference the identities in the membership database, both store the users’ IP addresses, often allowing you to make implicit matches across the two.
The impact of public search services
Multiple services designed for anyone to search anyone else’s email address quickly appeared and naturally, were quickly abused:
So got a call, from our church leaders yesterday, saying my husband’s work email was on [redacted], oh my!
What. The. Fuck. I appreciate the curiosity that some people may have in terms of searching for other people they may know, but searching for groups of people within an organisation and for that organisation to be a church is unfathomable enough, but to then call up the spouse and notify them beggars belief.
Incomplete data on other search services
I was somewhat intrigued by messages like this:
Why does my email address–[redacted]–appear on yours but doesn’t appear on three others, like [redacted] and [redacted]?
In fact I was so intrigued that I investigated it in more detail as the last thing I want is any inaccuracies in the HIBP data. What I found was that the two services mentioned in the above messages did not include some email addresses from the payment history files. This is alarming as it may be creating a false sense of security for impacted individuals and it just goes to show the responsibility those of us standing up services like this take on board.
Closed email accounts and erasing the evidence
A lot of people were trying to effectively rewrite history by cancelling the email account they used for Ashley Madison. Either that or they’d legitimately moved on from both AM and the address they’d used for the site. Upon realising they needed access to the email account in order to search for it on HIBP, I got a lot of requests like this:
I used an alternate email address and have since canceled it out of sheer fear. How can i find out what, god help, if any of my info was leaked.
I had an email account [redacted] that I deleted in panic when the AM leak came out. I can see on other sites that it is included in the breach, but now that you’ve added the filter I can’t see it on HIBP.
This account was closed when the business was closed down early last year as it went through a third company that supplied our web site at this time.
Is there any way i can find out where the breach occurred ???
There was simply nothing I could do in these cases. Of course they could always search on another service which didn’t require verification that they could access the email account, but certainly HIBP wasn’t going to be able to help them out. The obvious problem here is that for all intents and purposes, “I don’t have access to my old email account” is the same thing as “I don’t have access to someone else’s email account”.
The observation has been made before, but the presence of a mere email address alone does not constitute infidelity on behalf of the account holder. When anyone can sign any email address up to the site, people who’d never even heard of Ashley Madison found themselves implicated:
I actually never signed up for this website which has lead me to believe that I have been victim of a scam. I have had numerous warnings of viruses on my computer. Perhaps this has something to do with it?
People like me are on the list despite NOT signing up on the website, because the website did NOT verify email addresses and someone gave mine as a supposedly fake address.
However, people seem to sign up for things all the time with my email address and I usually ignore it or do a quick password change on them so they have to move on.
Last night my wife asked me if I was one of the people that was using Ashley Madison. I haven’t used the service but I know she’s going to obsess about this so I did a search on a couple of sites where you could search email addresses for users. MY email address, this one, had a hit which is really perplexing to me since I’ve NOT used the service. Could someone have used my email address?
Of course these messages may also be ploys to convince their significant other that their presence on Ashley Madison was indeed none of their doing. The additional data attributes in the breach would tell the full story, which may also explain why I got so many data requests.
There’s no question of gender equality here; very close to 100% of the emails I got were about men having accounts on the site. Understandably, there were many suspicious wives asking me to check up on their husbands:
I wanted to know if you can search my husband’s name/info for the Ashley Madison hack. I have found the AM site shown 2 times on his IPad history & a MILF hook up site when I looked at the history He claims they were “pop-ups” from porn sites.
That said, I have 20 years of my life invested with my husband & my gut tells me he is lying about it being on the Ipad & there are other things that lead me to believe he was a “member”.
There’s a lot of speculation about what the actual split between men and women on the site was (although I’ve not seen much on sexuality so am working on the assumption of predominantly heterosexual relationships), much of it relating to fake female accounts possibly created by Ashley Madison or accounts created by sex industry professionals to lure men into paying for services. It’s all very conceivable and whilst we’ll never know the actual numbers, I can say with great confidence that AM is very heavily male biased.
There is an assumption that those who signed up were always married and looking to have an affair. Whilst this is undoubtedly the case for many people, there was nothing prohibiting single individuals from joining the site:
HELP! I signed up for AM one night bit I’m actually single. I used my real email but fake info the rest of the process.
Whilst Ashley Madison may not represent the same moral high ground as other dating websites, there is a world of difference between someone in a committed relationship seeking out an affair and a single individual looking for a partner.
Alternate purposes for membership
Further to the previous point, there are other scenarios in which someone might create an account as well:
As a divorce attorney who often searched AM for my clients (and found a couple of cheaters there), I think it should be addressed that there are most likely women who merely joined AM as guests without paying or ever actually engaging- for the sole purpose of attempting to catch a cheating spouse.
I joined this site for 2 days about a year and half ago after my husband had an affair. I was having significant trust issues and joined ONLY to see if he was on the site.
You can’t help but feel doubly sorry for these women; not only were they dealing with their husband having an affair, now they’re also implicated as members of Ashley Madison themselves. It’s a terrible situation to find themselves in and again, a poignant reminder that an email address on the site does not mean the individual intended to cheat on their partner.
An outcome I hadn’t foreseen was some people thinking that any result for an email address on HIBP meant a presence on Ashley Madison:
Look dude, my wife want a divorce now since my email shows ‘owned’ when she put it in. Can you explain to her it’s not for the Ashley Madison hack its checking the all pwned sites
This was actually for Adobe, the same breach I had three different accounts in!
Membership was from a different phase of life
We all go through phases of life where our views on things change. Many people have moved on from whatever that previous phase was, but now the Ashley Madison data is publicly haunting them:
Was a guest briefly some time ago. Different circumstances. Wanted to check now as life has changed and be sure.
I don’t recall ever even visiting the site, but it’s possible in some moment of general curiosity to see if people actually did that sort of thing.
Several years ago, when I was single (and recovering from a very bad breakup), I took out a profile on Ashley Madison
Not really worried as these are all old accounts from my single days but just curious as to what’s floating around on the web.
I am single and not married, so this leak would make small harm, but it’s a scary reminder of the perils of this new world we live in.
I was an AM member back when I was single and although technically shouldn’t be concerned, my partner now is not one to take my word for it and will force me to sign up for notifications/verify my email and check my email.
I’ve included a few of these examples because I want to illustrate how important it is not to immediately assume that everyone on the site is cheating on their partner even if they were legitimate, paid up members. Of course many are (or at least “were”), but it’s important not to immediately make assumptions just because someone’s email address was on the site. Others will pass their own moral judgement on whether individuals should be registering on a site primarily designed for sexual encounters, but let us not confuse that with the issue of adultery where another innocent party is adversely affected.
It was never really serious…
I found people frequently justifying their account to me, as if they worried that a stranger on the other side of the world might judge them:
I know you’re not judgmental, but I’d be remissed if I didn’t state that I never actually met anyone – it was more of a game to see how i could get responses.
Never did anything but look around and deleted in like 2010. Really sad and scary.
Long story but was not cheating at all but had a profile created and then paid to have it deleted with their pay to delete function.
I joined Ashley Madison one night bored, honestly. Used my real email , but fake info from there on and never used a CC or got a real membership. Spent 15 mins and have never been back
I’ve been caught up in it, my own story a drunken evening, curious about the site, signed up, thought, OMG this is not a good thing to do, got out of the site, never touched it again
If we take these messages at face value – and I’m not sure there’s really much value in lying privately to a stranger for no apparent upside – many people were indeed just curious. Of course some people could be fabricating the message, but it’s entirely feasible that no nefarious activity actually took place.
It shouldn’t come as a surprise, but there was a huge amount of this:
No question I made a terrible, terrible mistake and pray to god this doesnt come out and ruin my family.
I am not married but Ashley Madison was/is a mistake I made and wonder how much risk I am at being publically embarrassed and more importantly embarrassing my Parents and Siblings.
I feel pretty sick and foolish – I’ve done nothing other than a few two sentence chats but I still don’t want to have to deal with this.
Last night was the worst night of my life. Found out my AM account had been breached.
I regret having signed up to the site and now terrified about hurting those around me, especially the one I love.
I am absolutely sick. I can’t sleep or eat and on top of that I am trying to hide that something is wrong from my wife.
My wife found out about it after I had exited the site and we have gone through a long period of working on our relationship. Its been a long and painful journey – but a private one – and we are closer than ever before, and I bitterly regret what I did.
These were often very raw emotions and as the comment above says, it’s a private journey for many people. Regardless of your take on the ethics of someone being on the site in the first place, most people would agree that in situations like this, the individuals deserve the privacy to work on their relationships and move forward in life. This incident will seriously jeopardise the ability for many couples to do just that and unfortunately the prevalence of publicly searchable AM databases merely fuels that fire and sets these couples back even further.
Fear and desperation
Clearly many people were fearful of being discovered for having an account on the site, either by their partner or by other members of the community. The fear of potential consequences often came through in a very raw way:
I love her very much and don’t want to lose her, I am deeply worried that she will leave and greatly impact my life.
I literally cannot sleep and never met anyone but am terrified as what might happen.
I never met anyone on the site, I’m not married, but this has me spinning. I need advice. Please help.
At this point I’m desperate. Worried that something like this could ruin my life/marriage when I was not on that site for anything that I can remember, possibly curiosity/joking with friends, but I can’t recall. I’ve barely slept over the past day due to worry
This while situation is very confusing and scary.
My stress levels are through the roof, still hoping that by some miracle this will just be forgotten about and no one will want to search me up.
My last resort is asking you if you could PLEASE PLEASE PLEASE help me out and let me know what you have on me.
Sorry, I appreciate that must sound like a completely naive/desperate question, but that’s the level I’m playing at.
What would be impossible to explain away – and what I would most feel guilty about – is the very detailed personal intimate information about my wife shared with strangers during my ‘erotic’ chats.
Admittedly, it was hard to read comments like the last one and not feel resentment. Having that canned response available and merely directing people to the Q&A saved me from having to construct very difficult personal responses to emails like this. But do take the other ones on board too; this is the real world consequence of this event.
The impact on families
As a father myself, the hardest messages to read were the ones like this:
But I’m just a guy here with a wife that I really do love, I regret what I did, and I have two beautiful kids that will get sucked int to this too. Its just horrible.
I have couple of 3 year old kids. I can tell you my amount of activity on these site was basically limited to one or two session logins and more of just curiosity on what’s there…..And in this case, looks like curiosity could kill the cat.
Tell your wife and kids you love them tonight. I shall do the same as I really don’t know if I will have many more chances to do so.
I read that last one right before going to bed last night and it was difficult to grasp; extramarital affairs tear families apart. You don’t need Ashley Madison for that to happen and arguably the guys making these comments deserve to go through some degree of pain, but you can’t escape the human tragedy that this data breach has brought to a head. It’s hugely distressing not just for the members who did indeed have affairs, but their families as well.
Real world consequences
It’s not always obvious just what impact a presence on Ashley Madison can have in “the real world”, I certainly learned things I was never expecting:
adultery is a punishable offense under the U.S. Army’s Uniform Code of Military Justice, and while simply having an active account at this website doesn’t indicate any wrongdoing, it’s possible that as the data become more publicized, some people are in for a lot of headaches.
One of the big concerns has always been that someone will take their life as a result. Allegedly, this may have already happened and it’s hard to see how it wouldn’t happen with such a huge user based impacted by such a significant event on so many lives.
Impact on professional life
A number of people were really worried about what membership of Ashley Madison – regardless of their context in there – might mean for their professional career:
How can this show up in a back ground check for jobs or anything if I have and provide this new email account to the admission boards and employers?
How do I keep it private from clients, customers, relatives etc.
I would like to know as I am very concerned but the whole mess and am a school teacher and really want to know what information they will eventually have access to.
And now my email address (which is my actual email address…dumb) is available to anyone who searches it. I am a professional and this could potentially be devastating.
In an era where employers are increasingly focused on building profiles of potential hires, I totally understand the concern. There’s a good example of this concern in the public comment thread of my first Ashley Madison post and you can sense the trauma this is causing the woman. That thread also demonstrates that whilst this is never something that should be used against someone seeking employment, the reality is that it will become one more data attribute in the increasingly rich profiles that are built up about individuals. There will surely be those that pass judgement against members regardless of their context on the site, let me give you some examples.
They got what they deserved
I want to add this here after all the other comments to illustrate how short-sighted some people are being about the breach. If you’ve read through all the comments above you would have seen many different levels of involvement in the site from entire innocence through to outright betrayal. Yet somehow, there are those who seek to tar everyone with the same brush:
JUSTICE for all the good people getting cheating on. Im glad the list has been exposed.. I don’t care if other innocent people that weren’t cheating were exposed that’s the risks you get when signing up for this crap online TOO BAD.
If you ended up using an email address that you’ve shared with anyone else, you deserve to have your information exploited in such a way.
the fact that 30 million sleazebags had their identifies and details revealed by these hackers fills me with amusement more than horror. The only improved result to my mind would have been a letter addressed to their home addresses with ASHLEY MADISON membership update printed in large letters on the front.
The chickens come home to roost. I’m glad someone is providing some true justice in the world. It sucks to be cheated on and I hope everyone on that site feels like shit and loses someone who truly cared for them.
Anyone who signed up to this sick site deserves everything they have coming to them.
These are largely from public comments made on posts such as my original one on how I’d handle the data breach. I hope this offers some perspective to those who wish to pass blanket moral judgements on everyone. As much as Ashley Madison’s mission statement is centred around the premise of infidelity, this incident is far more complex than just a bunch of cheating spouses.
This has been a lengthy post as I’ve continued to add to it as the messages have flooded in. I’ve been very careful to choose only messages that disclose nothing of the sender and this has meant not sharing the vast majority that came in. If nothing else, I hope it demonstrates how much of an impact this is having on lives, both those who set out to cheat on their spouses and the innocent bystanders be they accidental members, curious onlookers or the partners of those who have been outed. This incident needs to be approached with the understanding that for many people, this is the worst time of their life and for some, it feels like the end of it.
Leaving comments is awesome, please do. All I ask is that you be nice and if in doubt, read Comments on troyhunt.com for guidance.
Microsoft MVP for Developer Security, Pluralsight author and international speaker, you’ll usually find me talking about web security and “The Cloud” [ more ]